TE CHN I CAL | SPECIFICAT | IONS |
Services Supported
•Bootp, http, irc, netstat, pop3, SNMP, tftp, pptp, dns, https, kerberos, nntp, rip, ssh, who, RADIUS, eigrp, ident, LDAP, ntp, rip2, syslog, shell, X11, exec, gmp, login, OSPF, rlogin, telnet, talk, H.323, SIP, ftp, imap, mbone, ping, rsh, traceroute, lotus notes, VoIP/SIP, Gopher, IPSec, netbios, pointca st, mtp, sql*net
•Any IP protocol (user definable)
•Any IP protocol + layer 4 ports (user definable)
•Support for
Layer-7 Application Support
•Application Filter architecture supports
Firewall Attack Detection
and Protection
•Generalized Day 0
•SYN flood protection to specifically protect inbound servers, e.g. Web servers, from inbound TCP SYN floods
•Strict TCP validation to ensure TCP session state enforcement, validation of sequence and ac knowledgement numbers,
•Rejection of bad TCP flag combinations
•Initial Sequence Number (ISN) rewriting for weak TCP stack implementa tions
•Fragment flood protection with robust fragment reassembly, ensures no partial or overlapping fragments are transmitted
•Generalized IP packet validation including detection of malformed packets
•DoS mitigations for over 190 DoS attacks, including ping of death, land attack, tear drop attack, etc.
•Drops bad IP options as well as source route options
•Connection rate limits to minimize effects of new attacks.
QoS/Bandwidth Management
•Classified by physical port, virtual firewall, firewall rule, session bandwidth guarantees – Into and out of virtual firewall, allocated in bits/second
•Bandwidth limits - Into and out of virtual firewall, allocated in bits/second, packets/ session, sessions/second
•ToS/DiffServ marking and matching
•Integrated with application layer filters
Content Security
•HTTP Filter Keyword support integrated with HTTP Application Filter
•Basic content filtering with configurable whitelist/blacklist and content keyword matching.
•URL redirection for blacklist sites
•
¬Interoperates with all 3rd party
¬Redirects only
•
•
•Unknown protocol command handling
•Extensive
•Hostile mobile code blocking (Java®, ActiveX™)
Firewall User Authentication
•
•
•Local passwords, RADIUS, SecurID
•User assignable RADIUS attributes
•Certifica te authentication
VPN
•Maximum number of dedicated VPN tunnels – 7,500
•Manual Key, IKEv1, IKEv2, DoD PKI, X.509
•3DES
•AES (128, 192,
•
•Replay attack protection
•Remote access VPN
•
•IPSec NAT Traversal/UDP encapsulated IPSec
•IKEv2 IPSec NAT Traversal and dead peer detection
•LZS compression
•Spliced and nested tunneling
•Fully meshed or hub and spoke
VPN Authentication
•Local passwords, RADIUS, SecurID, X.509 digital certificates
•PKI Certificate requests (PKCS 12)
•Automatic LDAP certificate retrieval
•DoD PKI
High Availability
•VPN Firewall Brick security appliance to VPN Firewall Brick security appliance active/passive failover with full synchronization
•400 millisecond device failure detection and activation
•Session protection for firewall, VoIP and VPN
•Link failure detection
•Alarm notification on failover
•Encryption and authentication of session synchronization traffic
•
•
•Seamless system upgrade with no downtime for redundant deployments
3 | |
|
|